Atemu

Atemu , 7 months ago

And, even more importantly, search.nixos.org/options to figure out which options to set. Always search for options first. “Installing” something by just adding the package to systemPackages etc. is usually the correct thing to do for end-user applications but not for “system things” such as services.

Atemu , 7 months ago

In firefox, you can even just right click an image from the web and set it as the background directly.

Atemu , 7 months ago

Depends. There was that one F2P COD clone which used TCP and IIRC it did fine?

Atemu , 7 months ago

On a separate note, 5800X3D seems to be most efficient (throughput/watt) consumer grade CPU out there right now.

Pretty sure the 7800x3D surpasses it and the 7950x3D is no slouch either.

Atemu , 7 months ago

You could take the revision number. nixos-unstable has 567011 commits currently.

Atemu , 7 months ago

I’ve discovered DeSEC recently too and have been positively surprised by it. I use it for DNS but they also have dyndns on a shared domain similar to DuckDNS.

Atemu , 7 months ago

You can always use regular DNS and simply point your domain’s records at hosts on your home’s local network and/or the mesh VPN addresses. I do that with Tailscale.

Atemu , 7 months ago

Problem is that the average person cannot discern between an actual expert and a charlatan.

Atemu , 7 months ago

It’s unkown whether he improved his temper or whether he just built a very good mail filter for himself though.

Atemu , 7 months ago

I meant that as a reply to the second paragraph which generalised anarchism; including the non-Linux world.
I also disagree that this isn’t an issue in the broader Linux community however. See for example the loud minority with an irrational hate against quite obviously good software projects like systemd who got those ideas from charlatans or “experts”.

Atemu , 7 months ago

Why does it need to be public-facing? There may be solutions that don’t require exposing it to billions of people.

Security is always about layers. The more independent layers there are, the fewer the chances someone will break through all of them. There is no one technology that will make your hosting reasonably secure, it’s the combination of multiple.

You’ve already mentioned software ran inside an unprivileged sandbox.

There’s also:

• Sandbox ran unprivileged inside a VM
• VM ran inside unprivileged sandbox
• Firewall only allowing applications to open certain ports
• Server running all of that hosted by someone else on their network with their own abstractions

Atemu , 7 months ago

Currently, Lemmy communities appear as group accounts on mastodon which boost every post or comment posted to/in a community. This is effectively useless except for extremely low traffic communities maybe.

It’s not clear to me whether this is a Lemmy or Mastodon issue.

Atemu , 7 months ago

The other replies answered your question already, but this may solve your little “problem” here: Apple offers free in-person training sessions on how to use their products. They’re intended precisely for non-technical people like your mother.
So, if you don’t want to be the person teaching her how to use iOS, you could look into getting her to attend these sessions instead.

You can fault Apple for many things but this offer of theirs is just great on every level IMHO.

www.apple.com/today/

Atemu , 7 months ago

I wouldn’t be surprised if this programme made them a rather sizeable profit even if they had a typical margin on their products.

Atemu , 7 months ago

It’s just a less expensive OEM with smaller profit margins can’t afford to do things like this

No, that’s what I mean by “even if they had a typical margin”. I’m saying it could be profitable despite their insane margin because you get people buying more of your products.

Atemu , 7 months ago

If your TP looks like the flag of Japan after wiping your ass, you should go see a doctor.

Atemu , 7 months ago

The best info you can get on “battery capacity” is what the battery controller exposes and even that’s just an educated guess on its side. It’s no different on macOS but at least there you have a somewhat standardised interface for this kind of information; allowing apps to access it in a generic way.
If your controller firmware doesn’t expose the info to the kernel, you won’t be getting it, sorry.

I doubt this is a hardware issue though. Even a battery at 80% capacity won’t lose it all overnight when the device is actually in deep sleep.
With this many services each doing their own power management, I would not be surprised if it never got there. Do a bug report and analyse it using battery historian to get an idea of where the power draw comes from.
An easier test would be to simply shut all of those services down for a given time frame, measure power draw (%/h) and compare to when all of them are running. Safe mode might come in handy here as you can be sure there’s no user app running in that state. If it’s many % per hour in that state, there’s either an issue with the OS or indeed the HW.

Atemu , 7 months ago

I’d highly recommend setting up a swap partition instead.

Atemu , 7 months ago

If you need to set up a special dedicated subvolume, might aswell set up a partition instead; it’s just simpler.

With a swapfile you also can’t do multi-device setups which is a limitation I personally couldn’t live with.

Atemu OP , 7 months ago (edited 7 months ago)

This is a lot to take in; it’s basically an overview of all the interesting features of Nix. When starting out, you don’t need this kind of in-depth knowledge. I personally gathered most of what was covered here in over 6-12months of using it and I did just fine.

It might still not be for you but don’t take this as the reference point.

Atemu OP , 7 months ago

While that is true, it’s also r13y on another level: Reproducible evaluation. That mostly stems from pure eval and locking.

In the “before times”, you’d get your Nix expressions from some mutable location in the Nix path, so running i.e. a nixos-rebuild on your configuration could produce two different eval results when ran at two different times, depending on whether anything about your channel configuration changed in the mean time. This cannot happen with flakes as all inputs are explicitly given and locked.

You could achieve the same using niv etc. before but that had its own issues.

Atemu OP , 7 months ago

I haven’t used channels in years, but doesn’t that just refer to the running system, not using Nix to build projects?

I have no idea what you’re trying to say here.

Atemu OP , 7 months ago

There’s the WIP NixOS-based SnowflakeOS that aims to make NixOS approachable for mere mortals but that’s still declarative configuration and of course still NixOS under the hood.

There’s a bunch of immutable distros out there that use OStree or some other imperatively managed snapshotting mechanism such as Fedora Silverblue or VanillaOS.

Atemu OP , 7 months ago

How do you compose Guix projects?

Atemu , 7 months ago

Why go through all of that complexity when you could just sudo apt install docker?

Atemu , 7 months ago

That’s not at all grep-like. Grep is a line filter, not a character sequence highlighter.

Atemu , 8 months ago

Tables	do	exist	!

<span style="color:#323232;">| Tables | do | exist | ! |
</span><span style="color:#323232;">|--------|----|-------|---|
</span>

Atemu , 8 months ago

with a 200$ card, and you save a lot of money using the video card instead of buying extra storage space.

With $200, you could buy ~12TB worth of HDD(s) instead. You’d need >36TB of video for that to make financial sense and you’d always lose quality.

Additionally, you’d have to factor in the power it needs to transcode but, with HW accel, it’s not quite as much as with CPUs.

Atemu , 8 months ago

The “av1” numbers, which codec is that? There are many av1 encoders and even for Intel HW accel, there are at least two.

Atemu , 8 months ago

Oh the data is absolutely fine and helpful; I only take issue with the conclusion ;)

Atemu , 8 months ago

That is not representative of what you’d get with an Intel card then. While they implement the same standard (AV1), they’re entirely different encoders with entirely different image quality characteristics.

Atemu , 7 months ago

Yes, yes it will. (Well, at least it should. If it doesn’t, that’s a bug.)

The problem here is that the premise of this post is evaluating buying a GPU with AV1 encoder in order to transcode a media library. Any GPU-based AV1 encoder will produce very different results than svt-av1, likely much worse results that is.

Atemu , 8 months ago

meaning every step of building the kernel, including the steps taken to build the C compiler toolchain, are produced by code that is simple enough to check for correctness and safety.

Full-source bootstrap isn’t about just the kernel, it affects every piece of software. With GUIX and Nix, every single package can be fully traced back to the bootstrap seed.

Though it should be noted that you do require a running Linux kernel on an x86 machine in order to bootstrap.

it is not quite to the point where it /just works/ on a lot of the computer hardware that I own.

Unless we get some serious money, effort and/or regulation w.r.t. OSS firmware, that will likely never be the case.
That has nothing to do with its technology though, that’s a political issue. GUIX is a GNU project and acts like proprietary software does not exist/is not a basic necessity in 2023.

Atemu , 8 months ago

the parts of Guix in which packages are defined are quite pure, even using monads for some things

Monads have nothing to do with purity. In fact, one of the most infamous usages of them is Haskell’s IO monad which is probably the most impure construct in the entire language.

it is really not too different from the Nix language.

Hm, I can’t help but think that a lisp dialect can never really be similar to any language except another lisp.

Atemu , 8 months ago

Not quite: It’s an expression language.

The ultimate output of Nix is one set of data, usually the description of a derivation (~= package). You cannot cause arbitrary side-effects with it like writing to files or making network requests with it.

Atemu , 7 months ago

If you don’t have the requisite bare metal to run Guix by itself

That’s a bit disingenuous wording as modern hardware that can run without proprietary firmware is an absolute rarity at this point.

The vast majority of people on earth do not have access to such hardware.

The linux-libre kernel is only an issue for Guix System (the analogue to NixOS for Nix)

Point taken. I was talking about the OS aspect of both though, given that @Ramin_HAL9001 compared it to Debian and Fedora.

The project should have really kept the GuixSD name. Much clearer separation and also sounds a lot better.

package managers who attempt to sweep nonfree software under the rug and try to make the issue invisible.

Which ones?

In Nix, you get a giant red error when you try to eval unfree software and need to explicitly opt-in.

Atemu , 8 months ago

They’re not doing like proton and close basic stuff like IMAP and SMTP as a way to force you on the official apps

The reason Proton cannot do IMAP/SMTP is that they cannot read your emails which is required for both. That’s a feature, not a bug.

PM works with any app as long as the app implements their custom protocol for which there are at least two FOSS implementations as a reference.

proton is a “fake” open source that is mostly used for marketing: they opened only the UI, which communicates with a proprietary protocol to a proprietary server - useless

While I’d also prefer their back-end to be OSS, it’s not nearly as critical as the clients.
As a user, it doesn’t make a difference. I’m paying for an opaque service either way.

All the interesting stuff (E2EE, zero access storage) happen in the clients anyways. The BE is fairly uninteresting; it’s a mail server + zero-access encryption + Proton account handling. If you really wanted to build a mail service similar to Proton, you could build that yourself and probably would have to anyways.

Atemu , 7 months ago

The backend is the real interesting part, and the only way that we can be sure that “they cannot read the emails”

While I’d still prefer it, OSS can’t really help with that because what’s really required here is remote attestation.
That is an unsolved problem to my knowledge; there is no way to know which software they’re actually running. Even if they published the source code, they could trivially apply a patch in their deployment that stores all incoming email somewhere and you’d be none the wiser.

Even if they published source code and could somehow prove to you that they’re running a version derived from it, you would still not be safe from surveillance as one could simply MITM all connections. See i.e. notes.valdikss.org.ru/jabber.ru-mitm/.

That’s likely one of the reasons they do everything they can to make PGP accessible to every user.

imap/smtp can be toggled with a warning, if that’s really their concern

It’s plain and simply not how their service works. They’d have to build most of their service a second time but unencrypted.

It’s like asking Signal to build in support for IRC; it does not make sense for them to do that in any way without malicious intent needed.

no IMAP = no easy migration to somewhere else

You have IMAP access via the bridge. That’s what it’s for.

Atemu , 8 months ago

Ah I think Windows does this “helpful” thing where it installs its bootloader into the ESP of any drive if it’s already present rather than the drive you explicitly told it to install onto.

You didn’t have anything in it yet, right? Unplug all other drives and then re-install Windows onto the drive. It should work as expected after that.

IIRC Pop!_OS sets the systemd-boot timeout super short; you have to hold a key after the firmware is done or something to get to it reliably or simply increase the timeout (1s is enough, I have it set to that on my systems). systemd-boot should give you the option to boot any windows installation though, it can auto-detect them.

Atemu , 8 months ago

Not exactly sure what you’re asking for but

<span style="color:#323232;">cat /proc/mounts
</span>

will reveal all mount points on the device aswell as which device is mounted there.

Atemu , 8 months ago

The best way I know of is to get yourself a VM and get into the weeds; try to configure a system to your liking.

Follow the NixOS manual. The Wiki is unofficial; often opinionated, out of date or just plain wrong. Take it with a grain of salt. The canonical source of documentation is the NixOS manual and it’s not nearly as bad as you may have heard.

Make extensive use of search.nixos.org/options or man configuration.nix. Finding and making proper use of options and the module system is the bread and butter of using NixOS.

Eventhough everyone and their mom will recommend them to you for nebulous reasons, ignore flakes for now. You will know when you’ll benefit from using them; namely when you need to use something outside of NixOS/Nixpkgs. You’re going to have enough to figure out with plain old NixOS on its own though; I don’t have external dependencies in my config to this day.

To wrap it up, make sure to ask the community if something’s not working as expected: github.com/NixOS/nixpkgs#community

Atemu , 8 months ago

Note that while they’re disingenuously proclaiming themselves to be a “free” tool, the license is actually an unfree proprietary custom license.

Atemu , 8 months ago

There’s three reasons:

• As mentioned in the blog post, Funnel is still a rather new feature. It’s still in beta.
• It goes far beyond Tailscale’s core purpose; it’s basically a separate service.
• It’s free for now but probably won’t be for long. TS’ core functionality will likely be free or at worst very low cost for a long time but public hosting is a helluvalot more costly and also dangerous.

That said, if I had to share something with the public internet temporarily, I’d try not doing that first but could see myself using TS Tunnels.

Atemu , 8 months ago

Not really. As soon as you have a path from global internet into your home network, all bets are off and you’re now in charge of securing all of that against the entire world.

That said, if this is a regular old HTTP service, I believe Cloudflare Tunnels offer a way to put an authentication mechanism in front. This can work if, just like with Tailscale, you have a limited known set of users but the difference is that those users don’t to have to install and use a VPN client to access your service but rather authenticate using an “external” HTTP service through their browser. Again, I do not believe this works for services accessed through APIs and certainly not ones using custom protocols.

I can’t stress enough that getting those remote users to use Tailscale is probably the best and easiest solution.

Atemu , 8 months ago

Does Fedora have offer an LTS kernel package?

They don’t and it’s insane.

Atemu , 8 months ago

Look into used/older Pixels.

Atemu , 8 months ago

NVIDIA getting its shit together maybe?

Given the recent pace of NVK development we probably won’t have to rely on that for much longer in 2024.